CDA recommends members who are HIPAA-covered entities obtain the ADA Practical Guide to HIPAA Compliance for its comprehensive collection of templates for forms and written policies and procedures. When customizing the templates for use by the practice, make certain you include the following state requirements.
California allows 15 days to provide a copy and five working days for inspection. HIPAA allows 30 days. You must comply with the shorter term.
Patient requests to amend a record are uncommon in dental practices, but a HIPAA-covered entity must have policies and procedures for addressing these requests. Both HIPAA and state law provide patients the right to request amendments to their records. However, the laws differ in how a health care provider can respond to such a request. Ideally, a discussion with the patient regarding an amendment should be done prior to the initiation of the amendment process. Once a written request for amendment is submitted, the dentist must respond.
California law simply allows a patient to add a statement to the record. A patient amendment can be no longer than 250 words for each item that is believed to be incomplete or inaccurate. The health care provider must include a patient amendment in the record. Except for an emancipated minor, a minor patient does not have the right to amend his or her record.
Under HIPAA, a patient submits a request to the covered entity to amend the record. The health care provider can require a written request be submitted and that the patient provide a reason for the amendment. The provider should respond within 60 days of receiving the request but may have another 30 days if the extension is requested in advance from the patient.
Refer to the ADA guide to learn more about HIPAA’s requirements for responding to a patient request to amend a record.
In general, HIPAA allows a covered entity to use or disclose patient information for treatment, payment and business operations. California law, however, defines the unauthorized access of patient health information as those uses not for the purpose of diagnosis or treatment or as otherwise allowed by law. The allowed uses are included in California Civil Code Section 56.10. In summary, a patient’s information may be provided with certain limitations and without patient authorization only to:
Therefore, the disclosure of patient information for business operations that are not included in Section 56.10, such as collections or practice sale, should not occur unless the practice has obtained patient authorization for the disclosure. A patient’s signed acknowledgment of receipt of a notice of privacy practices that lists these business operations is not the same as patient authorization for disclosure.
Any form used by a HIPAA-covered entity to obtain authorization to use or disclose patient information must be in 14-pt type. A covered entity may also honor a request handwritten by the patient or patient’s legal representative and should attempt to obtain an expiration date or event for the authorization.
California requires notification of individuals and others when there is a breach of unencrypted, computerized information that has a person’s first name or first initial and last name in combination with any of the following:
The CDA resource Data Breach Notification Requirements” can be included in a dental practice’s policies and procedures.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.